Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2081
Views
6
Helpful
7
Replies

AIP SSM-10 setup and testing

Go to solution
jimmyc_2
Level 1
Level 1

‎12-14-2012 01:42 PM - edited ‎03-10-2019 05:51 AM

In my lab, I have a new 5510 with AIP-SSM card.

I believe it is configured correctly to evaluate traffic, but I can't be sure.  

Here is part of the ASA config:

class-map global-class

  match any

class-map inspection_default

  match default-inspection-traffic

policy-map  global-policy

  class  inspection_default

    inspect ftp, etc,

  class global-class

    ips inline fail-open

service-policy global_policy global

I have a PC going to a switch, going to the ASA (inside interface)

The ASA outside interface is going to a seperate VLAN on the switch.

Both have VLAN interfaces configured.

Is there a ping command, or other traffic that I can generate from the PC that will throw an alert?

I tried Ping -S from a bogus addresses, but that didn't cause an event.

How do I know if traffic is actually going through the IDS?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jimmyc_2

‎12-18-2012 01:29 PM

Hello Jimmy

lass-map:  global-class

    IPS:  Card status UP, mode inline fail-open

      Packet input 0, Packet output 0, drop 0, reset-drop 0

No packets are getting to the IPS module

You told me is assigned to Virtual sensor 0 on the AIP-SSM right?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-14-2012 05:39 PM

Hello Jimmy,

You must assigned a virtual sensor to the interface that connects the AIP-SSM to the ASA ( this must be done on the AIP-SSM, you could use either the GUI or the CLI to make it happen)

Now to test it you can use the signature ID 2004 witch is related to ICMP Echo packets.... Enabled it as its disabled by default and on the actions set it to generate an alert,, Then go to monitoring and get a report on the last minute, hour, etc. to get this log and make sure the AIP-SSM is up and ready to protect you,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
jimmyc_2
Level 1
Level 1
In response to Julio Carvajal

‎12-17-2012 07:47 AM

Thanks Julio,

Under Configuration>IDS>Interfaces, G0/1 is enabled.

I have turned on ID 2004. 

Under the IME menu  Home>Device Details:

     G0/0  Link=UP, Enabled=Yes, Mode=(blank), Rcd and Xmit are incrementing

     G0/1Link=UP, Enabled=Yes, Mode=unpaired, Rcd and Xmit are incrementing

We did not order maintenance, so I have no License.  (I'm hoping I only need this to get latest updates and support, not to run the device??)

I still have no alerts.    How do I generate them?

Regards,

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jimmyc_2

‎12-17-2012 09:34 AM

Hello,

Good, have you try to ping across your network?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
jimmyc_2
Level 1
Level 1
In response to Julio Carvajal

‎12-17-2012 09:46 AM

Yes.  

From the PC through the Switch to the Firewall and then back to a second network (VLAN interface) on the switch.  

There is no event or log entry.

I was using Ping -S 0.0.0.0 192.168.1.1 and expected the IDS to pick up the bogus source.

I also tried a standard ping, no luck.

Using the CLI for the IDS, under show statistics virtural interface, I found "total packets processed since last reset = 0"

jc

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jimmyc_2

‎12-18-2012 09:59 AM

Hello Jimmy,

Share the following from the ASA

show service policy

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
jimmyc_2
Level 1
Level 1
In response to Julio Carvajal

‎12-18-2012 12:22 PM

Service-policy:  global_policy

  Class-map:   inspection_default

    Inspect:  DNS, FTP, H233, etc     (all zeros)

  Class-map:  global-class

    IPS:  Card status UP, mode inline fail-open

      Packet input 0, Packet output 0, drop 0, reset-drop 0

Keep in mind that I only have one PC and one switch (with two VLAN interfaces) attached.

Thanks.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jimmyc_2

‎12-18-2012 01:29 PM

Hello Jimmy

lass-map:  global-class

    IPS:  Card status UP, mode inline fail-open

      Packet input 0, Packet output 0, drop 0, reset-drop 0

No packets are getting to the IPS module

You told me is assigned to Virtual sensor 0 on the AIP-SSM right?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card